diff --git a/Makefile.in.diff b/Makefile.in.diff
index f99f64a..95eda63 100644
--- a/Makefile.in.diff
+++ b/Makefile.in.diff
@@ -2,7 +2,7 @@ Index: bind-9.9.3-P1/bin/named/Makefile.in
===================================================================
--- bind-9.9.3-P1.orig/bin/named/Makefile.in
+++ bind-9.9.3-P1/bin/named/Makefile.in
-@@ -175,9 +175,7 @@ installdirs:
+@@ -176,9 +176,7 @@ installdirs:
install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
diff --git a/bind-9.9.4-P2.tar.gz b/bind-9.9.4-P2.tar.gz
deleted file mode 100644
index da07c8c..0000000
--- a/bind-9.9.4-P2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:50f3c6431e26d3f322b69092a49c92e163e73029fe4a1933ce532dc97ec40a89
-size 7513077
diff --git a/bind-9.9.4-P2.tar.gz.asc b/bind-9.9.4-P2.tar.gz.asc
deleted file mode 100644
index bd3de92..0000000
--- a/bind-9.9.4-P2.tar.gz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.12 (NetBSD)
-
-iQEcBAABAgAGBQJSxzKdAAoJEEWseFcYnNvFBRMH+QE4AkJ4CoZPcO0PcE6+2AFA
-BEXCJJSyMfZr3R0Wblb+lhWehnnWpxqV8FCwM9gecFXn0J44aJ+U8nh3WA8ROAas
-5NfXjll34YDDo8UU9wGZ7XmPpzUnn6DoncVz1BeV1VwqLIADv6WkoSx0HasYQ4Vf
-bHwGJI1cFCLDpy8XhjLAb4iUkdE9NSmvJ+6OZJ0ZtgYymnnNWI2YvHn95DM3DQbS
-lURMaiqiwNmhuk4Q4qzoAPrbpEqRG/PmFxRiZWk9irPhBsSoJKU/wbOFyTD+iJAv
-+pugh+S9lXkqR5bWLKzR8rpW4ydV9KVuxo6jW4dT4kR7QbU+zdMC6CAW/99duqQ=
-=F/NG
------END PGP SIGNATURE-----
diff --git a/bind-9.9.5-P1.tar.gz b/bind-9.9.5-P1.tar.gz
new file mode 100644
index 0000000..2439739
--- /dev/null
+++ b/bind-9.9.5-P1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a41f7813f3a6eb0dcae961651ec93896fd82074929bc6c1d8c90b04a2417b850
+size 7730150
diff --git a/bind-9.9.5-P1.tar.gz.asc b/bind-9.9.5-P1.tar.gz.asc
new file mode 100644
index 0000000..6166b6a
--- /dev/null
+++ b/bind-9.9.5-P1.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (NetBSD)
+
+iQEcBAABAgAGBQJTldadAAoJEEWseFcYnNvFsLAH/iepQdJvNgfZ5inZ//Kp8QeO
+5dv6f7a6UvfHZiD5wh8p9MCiIKVgxdeVV5HsSOsu8UpnzXRsmC2aH3etdxhlIsqu
+QTGfJzLiIY1Y+/xnSqUXHfKdJ4aCsHQqXiGqFi8oAW26DIQgjHDRfLhYkEWBeXss
+KjhCiI0FDjxvEqQ3orFWwUBV6RfHyIwTL186R/57r9xTtzJZFapvXMvV4TJjYAvU
+8UqPwP36mD7sdQEjg6PCOnrDtCheHLwF1q5m3a1rsuKmV3W3a2BZvTA2mW1xdrHb
+oo0Vbvt6GfzmFJHhs2G2VEj4405ALOmqLGejxs7pSbcZ1yyPlU/L/pcn+s1iB/Q=
+=zuFR
+-----END PGP SIGNATURE-----
diff --git a/bind-sdb-ldap.patch b/bind-sdb-ldap.patch
index 82adb28..f225ca5 100644
--- a/bind-sdb-ldap.patch
+++ b/bind-sdb-ldap.patch
@@ -27,7 +27,7 @@ Index: bin/named/main.c
#ifdef CONTRIB_DLZ
/*
-@@ -904,6 +905,7 @@
+@@ -922,6 +923,7 @@
* Add calls to register sdb drivers here.
*/
/* xxdb_init(); */
@@ -35,7 +35,7 @@ Index: bin/named/main.c
#ifdef ISC_DLZ_DLOPEN
/*
-@@ -940,6 +942,7 @@
+@@ -958,6 +960,7 @@
* Add calls to unregister sdb drivers here.
*/
/* xxdb_clear(); */
diff --git a/bind.changes b/bind.changes
index 0a47302..c9a4634 100644
--- a/bind.changes
+++ b/bind.changes
@@ -1,3 +1,129 @@
+-------------------------------------------------------------------
+Thu Jul 31 21:40:49 UTC 2014 - lmuelle@suse.com
+
+- Package dnssec-checkds and dnssec-coverage binaries and man pages only on
+ post-11.1 systems.
+
+-------------------------------------------------------------------
+Thu Jul 31 17:20:38 UTC 2014 - lmuelle@suse.com
+
+- Update to version 9.9.5P1
+ Various bugfixes and some feature fixes. (see CHANGES files)
+ Security and maintenance issues:
+
+ - [bug] Don't call qsort with a null pointer. [RT #35968]
+ - [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968]
+ - [port] linux: libcap support: declare curval at start of block. [RT #35387]
+
+- Update to version 9.9.5
+ - [bug] Address double dns_zone_detach when switching to using automatic
+ empty zones from regular zones. [RT #35177]
+ - [port] Use built-in versions of strptime() and timegm() on all platforms
+ to avoid portability issues. [RT #35183]
+ - [bug] Address a portentry locking issue in dispatch.c. [RT #35128]
+ - [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND on a missing
+ resolv.conf file and initializes the structure as if it had been
+ configured with nameserver ::1 nameserver 127.0.0.1 [RT #35194]
+ - [contrib] queryperf: Fixed a possible integer overflow when printing
+ results. [RT #35182]
+ - [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
+ - [func] named-checkconf can now obscure shared secrets when printing by
+ specifying '-x'. [RT #34465]
+ - [bug] Improvements to statistics channel XSL stylesheet: the stylesheet can
+ now be cached by the browser; section headers are omitted from the stats
+ display when there is no data in those sections to be displayed; counters
+ are now right-justified for easier readability. (Only available with
+ configure --enable-newstats.) [RT #35117]
+ - [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
+ - [bug] Handle "." as a search list element when IDN support is enabled.
+ [RT #35133]
+ - [bug] dig failed to handle AXFR style IXFR responses which span multiple
+ messages. [RT #35137]
+ - [bug] Address a possible race in dispatch.c. [RT #35107]
+ - [bug] Warn when a key-directory is configured for a zone, but does not
+ exist or is not a directory. [RT #35108]
+ - [security] memcpy was incorrectly called with overlapping ranges resulting
+ in malformed names being generated on some platforms. This could cause
+ INSIST failures when serving NSEC3 signed zones (CVE-2014-0591).
+ [RT #35120]
+ - [bug] Two calls to dns_db_getoriginnode were fatal if there was no data at
+ the node. [RT #35080]
+ - [bug] Iterative responses could be missed when the source port for an
+ upstream query was the same as the listener port (53). [RT #34925]
+ - [bug] Fixed a bug causing an insecure delegation from one static-stub zone
+ to another to fail with a broken trust chain. [RT #35081]
+ - [bug] loadnode could return a freed node on out of memory. [RT #35106]
+ - [bug] Address null pointer dereference in zone_xfrdone. [RT #35042]
+ - [func] "dnssec-signzone -Q" drops signatures from keys that are still
+ published but no longer active. [RT #34990]
+ - [bug] "rndc refresh" didn't work correctly with slave zones usingi
+ inline-signing. [RT #35105]
+ - [cleanup] Add a more detailed "not found" message to rndc commands which
+ specify a zone name. [RT #35059]
+ - [bug] Correct the behavior of rndc retransfer to allow inline-signing slave
+ zones to retain NSEC3 parameters instead of reverting to NSEC. [RT #34745]
+ - [port] Update the Windows build system to support feature selection and
+ WIN64 builds. This is a work in progress. [RT #34160]
+ - [bug] dig could fail to clean up TCP sockets still waiting on connect().
+ [RT #35074]
+ - [port] Update config.guess and config.sub. [RT #35060]
+ - [bug] 'nsupdate' leaked memory if 'realm' was used multiple times.
+ [RT #35073]
+ - [bug] "named-checkconf -z" now checks zones of type hint and redirect as
+ well as master. [RT #35046]
+ - [misc] Provide a place for third parties to add version information for
+ their extensions in the version file by setting the EXTENSIONS variable.
+ - [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
+ - [func] Local address can now be specified when using dns_client API.
+ [RT #34811]
+ - [bug] Don't allow dnssec-importkey overwrite a existing non-imported
+ private key.
+ - [bug] Address read after free in server side of lwres_getrrsetbyname.
+ [RT #29075]
+ - [bug] Fix cast in lex.c which could see 0xff treated as eof. [RT #34993]
+ - [bug] Failure to release lock on error in receive_secure_db. [RT #34944]
+ - [bug] Updated OpenSSL PKCS#11 patches to fix active list locking and other
+ bugs. [RT #34855]
+ - [bug] Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS
+ and ISDN types. [RT #34910]
+ - [bug] 'host' could die if a UDP query timed out. [RT #34870]
+ - [bug] Address lock order reversal deadlock with inline zones. [RT #34856]
+ - [cleanup] Changed the name of "isc-config.sh" to "bind9-config".
+ [RT #23825]
+ - [port] linux: Address platform specific compilation issue when libcap-devel
+ is installed. [RT #34838]
+ - [port] Some readline clones don't accept NULL pointers when calling
+ add_history. [RT #34842]
+ - [cleanup] Simplify TCP message processing when requesting a zone transfer.
+ [RT #34825]
+ - [bug] Address race condition with manual notify requests. [RT #34806]
+ - [func] Create delegations for all "children" of empty zones except
+ "forward first". [RT #34826]
+ - [tuning] Adjust when a master server is deemed unreachable. [RT #27075]
+ - [tuning] Use separate rate limiting queues for refresh and notify
+ requests. [RT #30589]
+ - [cleanup] Include a comment in .nzf files, giving the name of the
+ associated view. [RT #34765]
+ - [bug] Address a race condition when shutting down a zone. [RT #34750]
+ - [bug] Journal filename string could be set incorrectly, causing garbage in
+ log messages. [RT #34738]
+ - [protocol] Use case sensitive compression when responding to queries.
+ [RT #34737]
+ - [protocol] Check that EDNS subnet client options are well formed.
+ [RT #34718]
+ - [func] Allow externally generated DNSKEY to be imported into the DNSKEY
+ management framework. A new tool dnssec-importkey is used to do this.
+ [RT #34698]
+ - [bug] Handle changes to sig-validity-interval settings better. [RT #34625]
+ - [bug] ndots was not being checked when searching. Only continue searching
+ on NXDOMAIN responses. Add the ability to specify ndots to nslookup.
+ [RT #34711]
+ - [bug] Treat type 65533 (KEYDATA) as opaque except when used in a key zone.
+ [RT #34238]
+- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html
+ - rpz2-9.9.4.patch
+ + rpz2+rl-9.9.5.patch
+
-------------------------------------------------------------------
Sun Jun 1 13:30:10 UTC 2014 - chris@computersalat.de
diff --git a/bind.spec b/bind.spec
index 0c9585a..463ace4 100644
--- a/bind.spec
+++ b/bind.spec
@@ -18,7 +18,7 @@
Name: bind
%define pkg_name bind
-%define pkg_vers 9.9.4-P2
+%define pkg_vers 9.9.5-P1
BuildRequires: krb5-devel
BuildRequires: libcap
BuildRequires: libcap-devel
@@ -33,7 +33,7 @@ BuildRequires: update-desktop-files
Summary: Domain Name System (DNS) Server (named)
License: ISC
Group: Productivity/Networking/DNS/Servers
-Version: 9.9.4P2
+Version: 9.9.5P1
Release: 0
Provides: bind8
Provides: bind9
@@ -66,8 +66,8 @@ BuildRequires: gpg-offline
# Rate limiting patch by Paul Vixie et.al. for reflection DoS protection
# see http://www.redbarn.org/dns/ratelimits
-#Patch200: http://ss.vix.su/~vjs/rpz2-9.9.4.patch
-Patch200: rpz2-9.9.4.patch
+#Patch200: http://ss.vix.su/~vjs/rpz2+rl-9.9.5.patch
+Patch200: rpz2+rl-9.9.5.patch
Source60: dlz-schema.txt
%if %ul_version >= 1
@@ -589,11 +589,13 @@ fi
%attr(0644,root,named) %ghost /%{_sysconfdir}/named.conf.include
%attr(0640,root,named) %ghost %config(noreplace) /%{_sysconfdir}/rndc.key
%config /%{_sysconfdir}/init.d/named
+%{_bindir}/bind9-config
%{_sbindir}/rcnamed
%{_sbindir}/named
%{_sbindir}/named-checkconf
%{_sbindir}/named-checkzone
%{_sbindir}/named-compilezone
+%doc %{_mandir}/man1/bind9-config.1.gz
%doc %{_mandir}/man5/named.conf.5.gz
%doc %{_mandir}/man8/named-checkconf.8.gz
%doc %{_mandir}/man8/named-checkzone.8.gz
@@ -688,9 +690,12 @@ fi
%{_bindir}/runidn
%{_sbindir}/arpaname
%{_sbindir}/ddns-confgen
+%if 0%{?suse_version} > 1110
%{_sbindir}/dnssec-checkds
%{_sbindir}/dnssec-coverage
+%endif
%{_sbindir}/dnssec-dsfromkey
+%{_sbindir}/dnssec-importkey
%{_sbindir}/dnssec-keyfromlabel
%{_sbindir}/dnssec-keygen
%{_sbindir}/dnssec-revoke
@@ -715,8 +720,10 @@ fi
%doc %{_mandir}/man1/nsupdate.1.gz
%doc %{_mandir}/man5/rndc.conf.5.gz
%doc %{_mandir}/man8/ddns-confgen.8.gz
+%if 0%{?suse_version} > 1110
%doc %{_mandir}/man8/dnssec-checkds.8.gz
%doc %{_mandir}/man8/dnssec-coverage.8.gz
+%endif
%doc %{_mandir}/man8/dnssec-dsfromkey.8.gz
%doc %{_mandir}/man8/dnssec-keyfromlabel.8.gz
%doc %{_mandir}/man8/dnssec-keygen.8.gz
diff --git a/configure.in.diff b/configure.in.diff
index a970833..baedcd2 100644
--- a/configure.in.diff
+++ b/configure.in.diff
@@ -2,7 +2,7 @@ Index: bind-9.9.4-P2/configure.in
===================================================================
--- bind-9.9.4-P2.orig/configure.in 2013-12-20 01:28:28.000000000 +0100
+++ bind-9.9.4-P2/configure.in 2014-01-21 17:55:51.063395215 +0100
-@@ -3142,7 +3142,7 @@
+@@ -3172,7 +3172,7 @@
# empty). The variable VARIABLE will be substituted into output files.
#
diff --git a/named-bootconf.diff b/named-bootconf.diff
index fc18c23..e958144 100644
--- a/named-bootconf.diff
+++ b/named-bootconf.diff
@@ -2,7 +2,7 @@ Index: contrib/named-bootconf/named-bootconf.sh
===================================================================
--- contrib/named-bootconf/named-bootconf.sh.orig
+++ contrib/named-bootconf/named-bootconf.sh
-@@ -54,7 +54,8 @@
+@@ -47,7 +47,8 @@
# POSSIBILITY OF SUCH DAMAGE.
if [ ${OPTIONFILE-X} = X ]; then
@@ -12,7 +12,7 @@ Index: contrib/named-bootconf/named-bootconf.sh
( umask 077 ; mkdir $WORKDIR ) || {
echo "unable to create work directory '$WORKDIR'" >&2
exit 1
-@@ -308,7 +309,7 @@ if [ $DUMP -eq 1 ]; then
+@@ -301,7 +302,7 @@ if [ $DUMP -eq 1 ]; then
cat $ZONEFILE $COMMENTFILE
rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
diff --git a/pid-path.diff b/pid-path.diff
index 1009de6..4d55ad3 100644
--- a/pid-path.diff
+++ b/pid-path.diff
@@ -2,7 +2,7 @@ Index: bin/named/include/named/globals.h
===================================================================
--- bin/named/include/named/globals.h.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/named/include/named/globals.h 2013-08-05 14:14:28.152275375 +0200
-@@ -139,9 +139,9 @@
+@@ -140,9 +140,9 @@
"lwresd.pid");
#else
EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR
diff --git a/pie_compile.diff b/pie_compile.diff
index 71a2d1a..854a844 100644
--- a/pie_compile.diff
+++ b/pie_compile.diff
@@ -124,7 +124,7 @@ Index: bin/nsupdate/Makefile.in
===================================================================
--- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200
-@@ -66,8 +66,12 @@
+@@ -68,8 +68,12 @@
MANOBJS = ${MANPAGES} ${HTMLPAGES}
diff --git a/rpz2-9.9.4.patch b/rpz2+rl-9.9.5.patch
similarity index 95%
rename from rpz2-9.9.4.patch
rename to rpz2+rl-9.9.5.patch
index 6726bf4..c6f3fa7 100644
--- a/rpz2-9.9.4.patch
+++ b/rpz2+rl-9.9.5.patch
@@ -1,7 +1,6 @@
-Index: bin/named/query.c
-===================================================================
---- bin/named/query.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/named/query.c 2014-01-21 17:56:13.516661510 +0100
+diff -r -u bin/named/query.c-orig bin/named/query.c
+--- bin/named/query.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/query.c 2004-01-01 00:00:00.000000000 +0000
@@ -879,11 +879,11 @@
static void
rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
@@ -829,6 +828,8 @@ Index: bin/named/query.c
- result = dns_name_concatenate(prefix, suffix,
- rpz_qname, NULL);
- if (result == ISC_R_SUCCESS)
+- break;
+- INSIST(result == DNS_R_NAMETOOLONG);
+ dns_fixedname_init(&p_namef);
+ p_name = dns_fixedname_name(&p_namef);
+ result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name);
@@ -840,12 +841,24 @@ Index: bin/named/query.c
+ p_rdatasetp, &policy);
+ switch (result) {
+ case DNS_R_NXDOMAIN:
-+ /*
+ /*
+- * Trim the name until it is not too long.
+ * Continue after a policy record that is missing
+ * contrary to the summary data. The summary
+ * data can out of date during races with and among
+ * policy zone updates.
-+ */
+ */
+- labels = dns_name_countlabels(prefix);
+- if (labels < 2) {
+- rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+- rpz_type, suffix,
+- "concatentate() ", result);
+- return (ISC_R_SUCCESS);
+- }
+- if (labels+1 == dns_name_countlabels(qname)) {
+- rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
+- rpz_type, suffix,
+- "concatentate() ", result);
+ continue;
+ case DNS_R_SERVFAIL:
+ rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp);
@@ -875,26 +888,13 @@ Index: bin/named/query.c
+ (st->m.type == rpz_type &&
+ st->m.prefix == prefix &&
+ 0 > dns_name_rdatacompare(st->p_name, p_name)))
- break;
-- INSIST(result == DNS_R_NAMETOOLONG);
++ break;
+
- /*
-- * Trim the name until it is not too long.
++ /*
+ * Stop checking after saving an enabled hit in this
+ * policy zone. The radix tree in the policy zone
+ * ensures that we found the longest match.
- */
-- labels = dns_name_countlabels(prefix);
-- if (labels < 2) {
-- rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
-- rpz_type, suffix,
-- "concatentate() ", result);
-- return (ISC_R_SUCCESS);
-- }
-- if (labels+1 == dns_name_countlabels(qname)) {
-- rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
-- rpz_type, suffix,
-- "concatentate() ", result);
++ */
+ if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
+ rpz_save_p(st, rpz, rpz_type,
+ policy, p_name, prefix, result,
@@ -1296,8 +1296,8 @@ Index: bin/named/query.c
isc_result_t result;
st = client->query.rpz_st;
-@@ -4603,10 +4889,10 @@
- st->m.policy = DNS_RPZ_POLICY_MISS;
+@@ -4604,10 +4890,10 @@
+ st->m.ttl = ~0;
memset(&st->r, 0, sizeof(st->r));
memset(&st->q, 0, sizeof(st->q));
- dns_fixedname_init(&st->_qnamef);
@@ -1309,7 +1309,7 @@ Index: bin/named/query.c
st->r_name = dns_fixedname_name(&st->_r_namef);
st->fname = dns_fixedname_name(&st->_fnamef);
client->query.rpz_st = st;
-@@ -4619,7 +4905,7 @@
+@@ -4620,7 +4906,7 @@
case ISC_R_SUCCESS:
case DNS_R_GLUE:
case DNS_R_ZONECUT:
@@ -1318,7 +1318,7 @@ Index: bin/named/query.c
break;
case DNS_R_EMPTYNAME:
case DNS_R_NXRRSET:
-@@ -4629,73 +4915,155 @@
+@@ -4630,73 +4916,155 @@
case DNS_R_NCACHENXRRSET:
case DNS_R_CNAME:
case DNS_R_DNAME:
@@ -1425,10 +1425,12 @@ Index: bin/named/query.c
+ st->r.label = dns_name_countlabels(client->query.qname);
+ st->state &= ~(DNS_RPZ_DONE_QNAME_IP |
+ DNS_RPZ_DONE_IPv4);
-+
-+ }
- st->r.label = dns_name_countlabels(client->query.qname);
++ }
+
+- st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
+- st->state |= DNS_RPZ_DONE_QNAME;
+ /*
+ * Quit if this was an attempt to find a qname or
+ * client-IP trigger before recursion.
@@ -1443,9 +1445,7 @@ Index: bin/named/query.c
+ */
+ if (qresult_type == 2)
+ goto cleanup;
-
-- st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
-- st->state |= DNS_RPZ_DONE_QNAME;
++
+ /*
+ * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP
+ * is reset at the end of dealing with each CNAME.
@@ -1505,7 +1505,7 @@ Index: bin/named/query.c
/*
* Get NS rrset for each domain in the current qname.
*/
-@@ -4709,8 +5077,8 @@
+@@ -4710,8 +5078,8 @@
if (st->r.ns_rdataset == NULL ||
!dns_rdataset_isassociated(st->r.ns_rdataset)) {
dns_db_t *db = NULL;
@@ -1516,7 +1516,7 @@ Index: bin/named/query.c
&db, NULL, &st->r.ns_rdataset,
resuming);
if (db != NULL)
-@@ -4744,12 +5112,12 @@
+@@ -4745,12 +5113,12 @@
case ISC_R_FAILURE:
rpz_rewrite_ns_skip(client, nsname, result,
DNS_RPZ_DEBUG_LEVEL3,
@@ -1531,7 +1531,7 @@ Index: bin/named/query.c
continue;
}
}
-@@ -4765,8 +5133,8 @@
+@@ -4766,8 +5134,8 @@
dns_rdata_reset(&nsrdata);
if (result != ISC_R_SUCCESS) {
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
@@ -1542,7 +1542,7 @@ Index: bin/named/query.c
st->m.policy = DNS_RPZ_POLICY_ERROR;
goto cleanup;
}
-@@ -4782,11 +5150,11 @@
+@@ -4783,11 +5151,11 @@
* Check this NS name if we did not handle it
* during a previous recursion.
*/
@@ -1558,7 +1558,7 @@ Index: bin/named/query.c
&rdataset);
if (result != ISC_R_SUCCESS) {
dns_rdata_freestruct(&ns);
-@@ -4797,9 +5165,9 @@
+@@ -4798,9 +5166,9 @@
/*
* Check all IP addresses for this NS name.
*/
@@ -1571,7 +1571,7 @@ Index: bin/named/query.c
dns_rdata_freestruct(&ns);
if (result != ISC_R_SUCCESS)
goto cleanup;
-@@ -4809,10 +5177,16 @@
+@@ -4810,10 +5178,16 @@
} while (result == ISC_R_SUCCESS);
dns_rdataset_disassociate(st->r.ns_rdataset);
st->r.label--;
@@ -1589,7 +1589,7 @@ Index: bin/named/query.c
*/
result = ISC_R_SUCCESS;
-@@ -4827,7 +5201,7 @@
+@@ -4828,7 +5202,7 @@
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
result != DNS_R_DELEGATION)
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
@@ -1598,7 +1598,7 @@ Index: bin/named/query.c
rpz_match_clear(st);
}
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
-@@ -4846,19 +5220,25 @@
+@@ -4847,19 +5221,25 @@
* by the client in DNSSEC or a lack of signatures.
*/
static isc_boolean_t
@@ -1627,7 +1627,7 @@ Index: bin/named/query.c
if (sigrdataset == NULL)
return (ISC_TRUE);
if (dns_rdataset_isassociated(sigrdataset))
-@@ -4938,7 +5318,7 @@
+@@ -4939,7 +5319,7 @@
if (result != ISC_R_SUCCESS)
return (result);
rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
@@ -1636,7 +1636,7 @@ Index: bin/named/query.c
ns_client_qnamereplace(client, fname);
/*
* Turn off DNSSEC because the results of a
-@@ -5997,13 +6377,15 @@
+@@ -5998,13 +6378,15 @@
}
#endif /* USE_RRL */
@@ -1655,7 +1655,7 @@ Index: bin/named/query.c
isc_result_t rresult;
rresult = rpz_rewrite(client, qtype, result, resuming);
-@@ -6041,12 +6423,17 @@
+@@ -6042,12 +6424,17 @@
rpz_st->state |= DNS_RPZ_REWRITTEN;
if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
@@ -1678,7 +1678,7 @@ Index: bin/named/query.c
rpz_clean(&zone, &db, &node, NULL);
if (rpz_st->m.rdataset != NULL) {
query_putrdataset(client, &rdataset);
-@@ -6066,6 +6453,27 @@
+@@ -6067,6 +6454,27 @@
rpz_st->m.zone = NULL;
switch (rpz_st->m.policy) {
@@ -1706,7 +1706,7 @@ Index: bin/named/query.c
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
break;
-@@ -6078,8 +6486,8 @@
+@@ -6079,8 +6487,8 @@
result != DNS_R_CNAME) {
/*
* We will add all of the rdatasets of
@@ -1717,7 +1717,7 @@ Index: bin/named/query.c
*/
if (dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
-@@ -6134,7 +6542,7 @@
+@@ -6135,7 +6543,7 @@
rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
@@ -1726,10 +1726,9 @@ Index: bin/named/query.c
}
}
-Index: bin/named/server.c
-===================================================================
---- bin/named/server.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/named/server.c 2014-01-21 17:56:13.518661534 +0100
+diff -r -u bin/named/server.c-orig bin/named/server.c
+--- bin/named/server.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/server.c 2004-01-01 00:00:00.000000000 +0000
@@ -375,7 +375,8 @@
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
@@ -1740,7 +1739,7 @@ Index: bin/named/server.c
static isc_result_t
add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
-@@ -1551,17 +1552,24 @@
+@@ -1556,17 +1557,24 @@
}
static isc_result_t
@@ -1769,7 +1768,7 @@ Index: bin/named/server.c
if (new == NULL) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"no memory for response policy zones");
-@@ -1569,20 +1577,29 @@
+@@ -1574,20 +1582,29 @@
}
memset(new, 0, sizeof(*new));
@@ -1805,7 +1804,7 @@ Index: bin/named/server.c
obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(obj)) {
-@@ -1590,6 +1607,8 @@
+@@ -1595,6 +1612,8 @@
} else {
new->max_policy_ttl = ttl_def;
}
@@ -1814,7 +1813,7 @@ Index: bin/named/server.c
str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
-@@ -1600,25 +1619,50 @@
+@@ -1605,25 +1624,50 @@
"invalid zone name '%s'", str);
return (DNS_R_EMPTYLABEL);
}
@@ -1871,7 +1870,7 @@ Index: bin/named/server.c
if (result != ISC_R_SUCCESS)
return (result);
-@@ -1637,6 +1681,116 @@
+@@ -1642,6 +1686,116 @@
return (result);
}
}
@@ -1988,7 +1987,7 @@ Index: bin/named/server.c
return (ISC_R_SUCCESS);
}
-@@ -2096,7 +2250,7 @@
+@@ -2109,7 +2263,7 @@
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
unsigned int query_timeout, ndisp;
struct cfg_context *nzctx;
@@ -1997,7 +1996,7 @@ Index: bin/named/server.c
REQUIRE(DNS_VIEW_VALID(view));
-@@ -2194,44 +2348,7 @@
+@@ -2207,44 +2361,7 @@
obj = NULL;
if (view->rdclass == dns_rdataclass_in && need_hints &&
ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
@@ -2043,7 +2042,7 @@ Index: bin/named/server.c
}
/*
-@@ -2252,22 +2369,29 @@
+@@ -2265,22 +2382,29 @@
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
@@ -2086,7 +2085,7 @@ Index: bin/named/server.c
}
}
-@@ -2293,7 +2417,7 @@
+@@ -2306,7 +2430,7 @@
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig,
mctx, view, actx,
@@ -2095,7 +2094,7 @@ Index: bin/named/server.c
}
}
-@@ -3737,7 +3861,8 @@
+@@ -3750,7 +3874,8 @@
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
@@ -2105,7 +2104,7 @@ Index: bin/named/server.c
{
dns_view_t *pview = NULL; /* Production view */
dns_zone_t *zone = NULL; /* New or reused zone */
-@@ -3758,8 +3883,7 @@
+@@ -3771,8 +3896,7 @@
const char *zname;
dns_rdataclass_t zclass;
const char *ztypestr;
@@ -2115,7 +2114,7 @@ Index: bin/named/server.c
options = NULL;
(void)cfg_map_get(config, "options", &options);
-@@ -3921,18 +4045,15 @@
+@@ -3934,18 +4058,15 @@
INSIST(dupzone == NULL);
/*
@@ -2140,7 +2139,7 @@ Index: bin/named/server.c
}
/*
-@@ -3943,7 +4064,9 @@
+@@ -3956,7 +4077,9 @@
* - The zone is compatible with the config
* options (e.g., an existing master zone cannot
* be reused if the options specify a slave zone)
@@ -2151,7 +2150,7 @@ Index: bin/named/server.c
*/
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
view->rdclass, &pview);
-@@ -3957,7 +4080,8 @@
+@@ -3970,7 +4093,8 @@
if (zone != NULL && !ns_zone_reusable(zone, zconfig))
dns_zone_detach(&zone);
@@ -2161,7 +2160,7 @@ Index: bin/named/server.c
dns_zone_detach(&zone);
if (zone != NULL) {
-@@ -3982,8 +4106,8 @@
+@@ -3995,8 +4119,8 @@
dns_zone_setstats(zone, ns_g_server->zonestats);
}
@@ -2172,7 +2171,7 @@ Index: bin/named/server.c
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-@@ -8219,7 +8343,8 @@
+@@ -8286,7 +8410,8 @@
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_view_thaw(view);
result = configure_zone(cfg->config, parms, vconfig,
@@ -2182,10 +2181,9 @@ Index: bin/named/server.c
dns_view_freeze(view);
isc_task_endexclusive(server->task);
if (result != ISC_R_SUCCESS)
-Index: bin/tests/system/rpz/Makefile
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ bin/tests/system/rpz/Makefile 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/Makefile-orig bin/tests/system/rpz/Makefile
+--- bin/tests/system/rpz/Makefile-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/Makefile 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,478 @@
+# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
+#
@@ -2665,10 +2663,9 @@ Index: bin/tests/system/rpz/Makefile
+ /usr/include/stdio.h /usr/include/string.h /usr/include/strings.h
+
+# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
-Index: bin/tests/system/rpz/clean.sh
-===================================================================
---- bin/tests/system/rpz/clean.sh.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/clean.sh 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/clean.sh-orig bin/tests/system/rpz/clean.sh
+--- bin/tests/system/rpz/clean.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/clean.sh 2004-01-01 00:00:00.000000000 +0000
@@ -19,7 +19,7 @@
# Clean up after rpz tests.
@@ -2678,10 +2675,9 @@ Index: bin/tests/system/rpz/clean.sh
rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
rm -f */named.memstats */named.run */named.stats */session.key
rm -f */*.jnl */*.core */*.pid
-Index: bin/tests/system/rpz/ns1/root.db
-===================================================================
---- bin/tests/system/rpz/ns1/root.db.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns1/root.db 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/ns1/root.db-orig bin/tests/system/rpz/ns1/root.db
+--- bin/tests/system/rpz/ns1/root.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns1/root.db 2004-01-01 00:00:00.000000000 +0000
@@ -38,3 +38,6 @@
; performance test
tld5. NS ns.tld5.
@@ -2689,10 +2685,9 @@ Index: bin/tests/system/rpz/ns1/root.db
+
+; generate SERVFAIL
+servfail NS ns.tld2.
-Index: bin/tests/system/rpz/ns2/bl.tld2.db
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ bin/tests/system/rpz/ns2/bl.tld2.db 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/ns2/bl.tld2.db-orig bin/tests/system/rpz/ns2/bl.tld2.db
+--- bin/tests/system/rpz/ns2/bl.tld2.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns2/bl.tld2.db 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,27 @@
+; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+;
@@ -2721,20 +2716,19 @@ Index: bin/tests/system/rpz/ns2/bl.tld2.db
+ A 10.53.0.3
+
+32.1.7.168.192.rpz-ip CNAME .
-Index: bin/tests/system/rpz/ns2/named.conf
-===================================================================
---- bin/tests/system/rpz/ns2/named.conf.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns2/named.conf 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/ns2/named.conf-orig bin/tests/system/rpz/ns2/named.conf
+--- bin/tests/system/rpz/ns2/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns2/named.conf 2004-01-01 00:00:00.000000000 +0000
@@ -32,14 +32,6 @@
notify no;
};
-key rndc_key {
-- secret "1234abcd8765";
-- algorithm hmac-sha256;
+- secret "1234abcd8765";
+- algorithm hmac-sha256;
-};
-controls {
-- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
-};
-
include "../trusted.conf";
@@ -2746,10 +2740,9 @@ Index: bin/tests/system/rpz/ns2/named.conf
-zone "bl.tld2." {type master; file "bl.tld2.db"; notify yes; notify-delay 1;};
+zone "bl.tld2." {type master; file "bl.tld2.db";};
-Index: bin/tests/system/rpz/ns2/tld2.db
-===================================================================
---- bin/tests/system/rpz/ns2/tld2.db.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns2/tld2.db 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/ns2/tld2.db-orig bin/tests/system/rpz/ns2/tld2.db
+--- bin/tests/system/rpz/ns2/tld2.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns2/tld2.db 2004-01-01 00:00:00.000000000 +0000
@@ -111,6 +111,9 @@
A 192.168.5.2
TXT "a5-1-2 tld2 text"
@@ -2760,10 +2753,9 @@ Index: bin/tests/system/rpz/ns2/tld2.db
a5-3 A 192.168.5.3
TXT "a5-3 tld2 text"
-Index: bin/tests/system/rpz/ns3/base.db
-===================================================================
---- bin/tests/system/rpz/ns3/base.db.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns3/base.db 2014-01-21 17:56:13.519661546 +0100
+diff -r -u bin/tests/system/rpz/ns3/base.db-orig bin/tests/system/rpz/ns3/base.db
+--- bin/tests/system/rpz/ns3/base.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns3/base.db 2004-01-01 00:00:00.000000000 +0000
@@ -21,30 +21,7 @@
; Its contents are also changed with nsupdate
@@ -2797,10 +2789,9 @@ Index: bin/tests/system/rpz/ns3/base.db
-; (or whatever) is available by publishing "foo A 10.2.3.4" and then
-; resolving foo.
-32.3.2.1.127.rpz-ip CNAME walled.invalid.
-Index: bin/tests/system/rpz/ns3/named.conf
-===================================================================
---- bin/tests/system/rpz/ns3/named.conf.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns3/named.conf 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/ns3/named.conf-orig bin/tests/system/rpz/ns3/named.conf
+--- bin/tests/system/rpz/ns3/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns3/named.conf 2004-01-01 00:00:00.000000000 +0000
@@ -46,20 +46,24 @@
zone "bl-cname" policy cname txt-only.tld2.;
zone "bl-wildcname" policy cname *.tld4.;
@@ -2844,19 +2835,17 @@ Index: bin/tests/system/rpz/ns3/named.conf
zone "crash1.tld2" {type master; file "crash1";};
zone "crash2.tld3." {type master; file "crash2";};
-Index: bin/tests/system/rpz/ns5/named.args
-===================================================================
---- bin/tests/system/rpz/ns5/named.args.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns5/named.args 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/ns5/named.args-orig bin/tests/system/rpz/ns5/named.args
+--- bin/tests/system/rpz/ns5/named.args-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns5/named.args 2004-01-01 00:00:00.000000000 +0000
@@ -1,3 +1,3 @@
# run the performace test close to real life
--c named.conf -g
+-c named.conf -gd3
-Index: bin/tests/system/rpz/ns5/named.conf
-===================================================================
---- bin/tests/system/rpz/ns5/named.conf.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns5/named.conf 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/ns5/named.conf-orig bin/tests/system/rpz/ns5/named.conf
+--- bin/tests/system/rpz/ns5/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns5/named.conf 2004-01-01 00:00:00.000000000 +0000
@@ -40,7 +40,7 @@
key rndc_key {
@@ -2887,10 +2876,9 @@ Index: bin/tests/system/rpz/ns5/named.conf
+zone "bl17." {type master; file "bl.db"; };
+zone "bl18." {type master; file "bl.db"; };
+zone "bl19." {type master; file "bl.db"; };
-Index: bin/tests/system/rpz/ns5/tld5.db
-===================================================================
---- bin/tests/system/rpz/ns5/tld5.db.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/ns5/tld5.db 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/ns5/tld5.db-orig bin/tests/system/rpz/ns5/tld5.db
+--- bin/tests/system/rpz/ns5/tld5.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/ns5/tld5.db 2004-01-01 00:00:00.000000000 +0000
@@ -22,42 +22,10 @@
NS ns1
NS ns2
@@ -2934,10 +2922,9 @@ Index: bin/tests/system/rpz/ns5/tld5.db
$ORIGIN example.tld5.
-Index: bin/tests/system/rpz/setup.sh
-===================================================================
---- bin/tests/system/rpz/setup.sh.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/setup.sh 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/setup.sh-orig bin/tests/system/rpz/setup.sh
+--- bin/tests/system/rpz/setup.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/setup.sh 2004-01-01 00:00:00.000000000 +0000
@@ -26,11 +26,13 @@
sh clean.sh
@@ -3025,10 +3012,9 @@ Index: bin/tests/system/rpz/setup.sh
}' >ns5/requests
-
-cp ns2/bl.tld2.db.in ns2/bl.tld2.db
-Index: bin/tests/system/rpz/test1
-===================================================================
---- bin/tests/system/rpz/test1.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/test1 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/test1-orig bin/tests/system/rpz/test1
+--- bin/tests/system/rpz/test1-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/test1 2004-01-01 00:00:00.000000000 +0000
@@ -24,13 +24,13 @@
; QNAME tests
@@ -3072,10 +3058,9 @@ Index: bin/tests/system/rpz/test1
+; 34 qname-wait-recurse yes
+update add x.servfail.bl. 300 A 127.0.0.34
send
-Index: bin/tests/system/rpz/test2
-===================================================================
---- bin/tests/system/rpz/test2.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/test2 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/test2-orig bin/tests/system/rpz/test2
+--- bin/tests/system/rpz/test2-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/test2 2004-01-01 00:00:00.000000000 +0000
@@ -58,7 +58,7 @@
send
@@ -3094,10 +3079,9 @@ Index: bin/tests/system/rpz/test2
+; 17
+update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17
+send
-Index: bin/tests/system/rpz/test5
-===================================================================
---- bin/tests/system/rpz/test5.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/test5 2014-01-21 17:56:13.520661557 +0100
+diff -r -u bin/tests/system/rpz/test5-orig bin/tests/system/rpz/test5
+--- bin/tests/system/rpz/test5-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/test5 2004-01-01 00:00:00.000000000 +0000
@@ -35,10 +35,8 @@
; 4
update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4
@@ -3120,10 +3104,9 @@ Index: bin/tests/system/rpz/test5
+; 19
+update add a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19
+send
-Index: bin/tests/system/rpz/test6
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ bin/tests/system/rpz/test6 2014-01-21 17:56:13.521661569 +0100
+diff -r -u bin/tests/system/rpz/test6-orig bin/tests/system/rpz/test6
+--- bin/tests/system/rpz/test6-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/test6 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,40 @@
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
+;
@@ -3165,10 +3148,9 @@ Index: bin/tests/system/rpz/test6
+update add *.credirect.bl. 300 CNAME google.com.
+;
+send
-Index: bin/tests/system/rpz/tests.sh
-===================================================================
---- bin/tests/system/rpz/tests.sh.orig 2013-12-20 01:28:28.000000000 +0100
-+++ bin/tests/system/rpz/tests.sh 2014-01-21 17:56:13.521661569 +0100
+diff -r -u bin/tests/system/rpz/tests.sh-orig bin/tests/system/rpz/tests.sh
+--- bin/tests/system/rpz/tests.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rpz/tests.sh 2004-01-01 00:00:00.000000000 +0000
@@ -21,15 +21,15 @@
. $SYSTEMTESTTOP/conf.sh
@@ -3518,11 +3500,10 @@ Index: bin/tests/system/rpz/tests.sh
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
-Index: doc/arm/Bv9ARM-book.xml
-===================================================================
---- doc/arm/Bv9ARM-book.xml.orig 2013-12-20 01:28:28.000000000 +0100
-+++ doc/arm/Bv9ARM-book.xml 2014-01-21 17:56:13.524661605 +0100
-@@ -4870,7 +4870,7 @@
+diff -r -u doc/arm/Bv9ARM-book.xml-orig doc/arm/Bv9ARM-book.xml
+--- doc/arm/Bv9ARM-book.xml-orig 2004-01-01 00:00:00.000000000 +0000
++++ doc/arm/Bv9ARM-book.xml 2004-01-01 00:00:00.000000000 +0000
+@@ -4873,7 +4873,7 @@
min-table-size number ;
} ;
response-policy { zone_name
@@ -3531,7 +3512,7 @@ Index: doc/arm/Bv9ARM-book.xml
recursive-only yes_or_no max-policy-ttl number ;
} recursive-only yes_or_no max-policy-ttl number
break-dnssec yes_or_no min-ns-dots number ;
-@@ -9164,77 +9164,122 @@
+@@ -9167,77 +9167,122 @@
Response policy zones are named in the
response-policy option for the view or among the
global options if there is no response-policy option for the view.
@@ -3710,7 +3691,7 @@ Index: doc/arm/Bv9ARM-book.xml
Among NSDNAME triggers, prefer the
trigger that matches the smallest name under the DNSSEC ordering.
-@@ -9253,83 +9298,168 @@
+@@ -9256,83 +9301,168 @@
When the processing of a response is restarted to resolve
DNAME or CNAME records and a policy record set has
not been triggered,
@@ -3946,7 +3927,7 @@ Index: doc/arm/Bv9ARM-book.xml
with a recursive-only no clause.
This feature is useful for serving the same zone files
both inside and outside an RFC 1918 cloud and using RPZ to
-@@ -9338,15 +9468,43 @@
+@@ -9341,15 +9471,43 @@
@@ -3999,7 +3980,7 @@ Index: doc/arm/Bv9ARM-book.xml
-@@ -9374,26 +9532,38 @@
+@@ -9377,26 +9535,38 @@
; QNAME policy records. There are no periods (.) after the owner names.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
@@ -4041,10 +4022,9 @@ Index: doc/arm/Bv9ARM-book.xml
RPZ can affect server performance.
-Index: lib/dns/db.c
-===================================================================
---- lib/dns/db.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/db.c 2014-01-21 17:56:13.525661616 +0100
+diff -r -u lib/dns/db.c-orig lib/dns/db.c
+--- lib/dns/db.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/db.c 2004-01-01 00:00:00.000000000 +0000
@@ -1007,21 +1007,23 @@
(db->methods->resigned)(db, rdataset, version);
}
@@ -4084,10 +4064,9 @@ Index: lib/dns/db.c
+ return (ISC_R_SUCCESS);
+ return ((db->methods->rpz_ready)(db));
}
-Index: lib/dns/ecdb.c
-===================================================================
---- lib/dns/ecdb.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/ecdb.c 2014-01-21 17:56:13.525661616 +0100
+diff -r -u lib/dns/ecdb.c-orig lib/dns/ecdb.c
+--- lib/dns/ecdb.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/ecdb.c 2004-01-01 00:00:00.000000000 +0000
@@ -582,8 +582,8 @@
NULL, /* resigned */
NULL, /* isdnssec */
@@ -4099,10 +4078,9 @@ Index: lib/dns/ecdb.c
NULL, /* findnodeext */
NULL /* findext */
};
-Index: lib/dns/include/dns/db.h
-===================================================================
---- lib/dns/include/dns/db.h.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/include/dns/db.h 2014-01-21 17:56:13.525661616 +0100
+diff -r -u lib/dns/include/dns/db.h-orig lib/dns/include/dns/db.h
+--- lib/dns/include/dns/db.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/db.h 2004-01-01 00:00:00.000000000 +0000
@@ -172,14 +172,9 @@
dns_dbversion_t *version);
isc_boolean_t (*isdnssec)(dns_db_t *db);
@@ -4160,10 +4138,9 @@ Index: lib/dns/include/dns/db.h
*/
ISC_LANG_ENDDECLS
-Index: lib/dns/include/dns/rpz.h
-===================================================================
---- lib/dns/include/dns/rpz.h.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/include/dns/rpz.h 2014-01-21 17:56:13.526661629 +0100
+diff -r -u lib/dns/include/dns/rpz.h-orig lib/dns/include/dns/rpz.h
+--- lib/dns/include/dns/rpz.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/rpz.h 2004-01-01 00:00:00.000000000 +0000
@@ -25,19 +25,31 @@
#include
#include
@@ -4478,10 +4455,9 @@ Index: lib/dns/include/dns/rpz.h
ISC_LANG_ENDDECLS
-Index: lib/dns/include/dns/view.h
-===================================================================
---- lib/dns/include/dns/view.h.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/include/dns/view.h 2014-01-21 17:56:13.526661629 +0100
+diff -r -u lib/dns/include/dns/view.h-orig lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/view.h 2004-01-01 00:00:00.000000000 +0000
@@ -164,10 +164,7 @@
dns_acl_t * v4_aaaa_acl;
dns_dns64list_t dns64;
@@ -4494,10 +4470,9 @@ Index: lib/dns/include/dns/view.h
/*
* Configurable data for server use only,
-Index: lib/dns/include/dns/zone.h
-===================================================================
---- lib/dns/include/dns/zone.h.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/include/dns/zone.h 2014-01-21 17:56:13.526661629 +0100
+diff -r -u lib/dns/include/dns/zone.h-orig lib/dns/include/dns/zone.h
+--- lib/dns/include/dns/zone.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/zone.h 2004-01-01 00:00:00.000000000 +0000
@@ -2081,19 +2081,20 @@
*/
@@ -4523,10 +4498,9 @@ Index: lib/dns/include/dns/zone.h
void
dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level);
-Index: lib/dns/rbtdb.c
-===================================================================
---- lib/dns/rbtdb.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/rbtdb.c 2014-01-21 17:56:13.528661652 +0100
+diff -r -u lib/dns/rbtdb.c-orig lib/dns/rbtdb.c
+--- lib/dns/rbtdb.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/rbtdb.c 2004-01-01 00:00:00.000000000 +0000
@@ -453,7 +453,9 @@
dns_rbt_t * tree;
dns_rbt_t * nsec;
@@ -4597,7 +4571,7 @@ Index: lib/dns/rbtdb.c
"dns_rbt_deletenode: %s",
isc_result_totext(result));
}
-@@ -2538,14 +2550,15 @@
+@@ -2540,14 +2552,15 @@
result = dns_rbt_addnode(tree, name, &node);
if (result == ISC_R_SUCCESS) {
#ifdef BIND9
@@ -4615,7 +4589,7 @@ Index: lib/dns/rbtdb.c
}
#endif
dns_rbt_namefromnode(node, &nodename);
-@@ -4547,228 +4560,45 @@
+@@ -4549,228 +4562,45 @@
return (result);
}
@@ -4713,23 +4687,23 @@ Index: lib/dns/rbtdb.c
- switch (rdata.type) {
- case dns_rdatatype_a:
- INSIST(rdata.length == 4);
-- memcpy(&ina.s_addr, rdata.data, 4);
+- memmove(&ina.s_addr, rdata.data, 4);
- isc_netaddr_fromin(&netaddr, &ina);
- break;
- case dns_rdatatype_aaaa:
- INSIST(rdata.length == 16);
-- memcpy(in6a.s6_addr, rdata.data, 16);
+- memmove(in6a.s6_addr, rdata.data, 16);
- isc_netaddr_fromin6(&netaddr, &in6a);
- break;
- default:
- continue;
- }
-
+-
- result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type,
- selfname, qname, &prefix);
- if (result != ISC_R_SUCCESS)
- continue;
--
+
- /*
- * If we already have a rule, discard this new rule if
- * is not better.
@@ -4868,9 +4842,9 @@ Index: lib/dns/rbtdb.c
}
#endif
-@@ -6874,8 +6704,9 @@
- noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
+@@ -6938,8 +6768,9 @@
+ done:
#ifdef BIND9
- if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL)
- dns_rpz_cidr_addip(rbtdb->rpz_cidr, name);
@@ -4878,9 +4852,9 @@ Index: lib/dns/rbtdb.c
+ noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
+ name);
#endif
-
- if (!hasnsec)
-@@ -7060,6 +6891,20 @@
+ if (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)
+ *nodep = node;
+@@ -7074,6 +6905,20 @@
RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
@@ -4901,7 +4875,7 @@ Index: lib/dns/rbtdb.c
REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
== 0);
rbtdb->attributes |= RBTDB_ATTR_LOADING;
-@@ -7461,8 +7306,8 @@
+@@ -7476,8 +7321,8 @@
isdnssec,
NULL,
#ifdef BIND9
@@ -4912,7 +4886,7 @@ Index: lib/dns/rbtdb.c
#else
NULL,
NULL,
-@@ -7776,6 +7621,9 @@
+@@ -7791,6 +7636,9 @@
}
rbtdb->attributes = 0;
rbtdb->task = NULL;
@@ -4922,10 +4896,9 @@ Index: lib/dns/rbtdb.c
/*
* Version Initialization.
-Index: lib/dns/rpz.c
-===================================================================
---- lib/dns/rpz.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/rpz.c 2014-01-21 17:56:13.529661664 +0100
+diff -r -u lib/dns/rpz.c-orig lib/dns/rpz.c
+--- lib/dns/rpz.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/rpz.c 2004-01-01 00:00:00.000000000 +0000
@@ -37,6 +37,7 @@
#include
#include
@@ -7213,7 +7186,8 @@ Index: lib/dns/rpz.c
- * but there are objections.
+ * but some people object.
*/
- memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
+- memmove(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
++ memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
for (i = 0; i < 4; i++) {
tgt_ip.w[i] = ntohl(src_ip6.w[i]);
}
@@ -7392,10 +7366,9 @@ Index: lib/dns/rpz.c
*/
if (dns_name_equal(&cname.cname, &rpz->passthru))
return (DNS_RPZ_POLICY_PASSTHRU);
-Index: lib/dns/view.c
-===================================================================
---- lib/dns/view.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/view.c 2014-01-21 17:56:13.530661676 +0100
+diff -r -u lib/dns/view.c-orig lib/dns/view.c
+--- lib/dns/view.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/view.c 2004-01-01 00:00:00.000000000 +0000
@@ -197,9 +197,7 @@
view->maxbits = 0;
view->v4_aaaa = dns_v4_aaaa_ok;
@@ -7417,79 +7390,10 @@ Index: lib/dns/view.c
#ifdef USE_RRL
dns_rrl_view_destroy(view);
#else /* USE_RRL */
-Index: lib/dns/win32/libdns.def
-===================================================================
---- lib/dns/win32/libdns.def.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/win32/libdns.def 2014-01-21 17:56:13.530661676 +0100
-@@ -130,8 +130,8 @@
- dns_db_overmem
- dns_db_printnode
- dns_db_register
--dns_db_rpz_enabled
--dns_db_rpz_findips
-+dns_db_rpz_attach
-+dns_db_rpz_ready
- dns_db_subtractrdataset
- dns_db_unregister
- dns_dbiterator_current
-@@ -639,17 +639,22 @@
- dns_result_torcode
- dns_result_totext
- dns_rootns_create
-+dns_rpz_add
-+dns_rpz_attach_rpzs
-+dns_rpz_beginload
- dns_rpz_cidr_addip
--dns_rpz_cidr_deleteip
- dns_rpz_cidr_find
--dns_rpz_cidr_free
- dns_rpz_decode_cname
--dns_rpz_enabled_get
--dns_rpz_new_cidr
-+dns_rpz_delete
-+dns_rpz_delete_node
-+dns_rpz_detach_rpzs
-+dns_rpz_find_ip
-+dns_rpz_find_name
-+dns_rpz_new_zones
- dns_rpz_policy2str
-+dns_rpz_ready
- dns_rpz_str2policy
- dns_rpz_type2str
--dns_rpz_view_destroy
- dns_rriterator_current
- dns_rriterator_destroy
- dns_rriterator_first
-@@ -810,7 +815,7 @@
- dns_zone_forcereload
- dns_zone_forwardupdate
- dns_zone_fulldumptostream
--dns_zone_get_rpz
-+dns_zone_get_rpz_num
- dns_zone_getadded
- dns_zone_getchecknames
- dns_zone_getclass
-@@ -838,6 +843,7 @@
- dns_zone_getqueryonacl
- dns_zone_getraw
- dns_zone_getrequeststats
-+dns_zone_getrpz_num
- dns_zone_getserial
- dns_zone_getserial2
- dns_zone_getserialupdatemethod
-@@ -875,6 +881,7 @@
- dns_zone_refresh
- dns_zone_rekey
- dns_zone_replacedb
-+dns_zone_rpz_attach
- dns_zone_rpz_enable
- dns_zone_setacache
- dns_zone_setadded
-Index: lib/dns/xfrin.c
-===================================================================
---- lib/dns/xfrin.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/xfrin.c 2014-01-21 17:56:13.530661676 +0100
-@@ -280,7 +280,7 @@
+diff -r -u lib/dns/xfrin.c-orig lib/dns/xfrin.c
+--- lib/dns/xfrin.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/xfrin.c 2004-01-01 00:00:00.000000000 +0000
+@@ -279,7 +279,7 @@
0, NULL, /* XXX guess */
dbp);
if (result == ISC_R_SUCCESS)
@@ -7498,11 +7402,10 @@ Index: lib/dns/xfrin.c
return (result);
}
-Index: lib/dns/zone.c
-===================================================================
---- lib/dns/zone.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/dns/zone.c 2014-01-21 17:56:13.533661711 +0100
-@@ -346,9 +346,10 @@
+diff -r -u lib/dns/zone.c-orig lib/dns/zone.c
+--- lib/dns/zone.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/zone.c 2004-01-01 00:00:00.000000000 +0000
+@@ -357,9 +357,10 @@
isc_boolean_t added;
/*%
@@ -7515,7 +7418,7 @@ Index: lib/dns/zone.c
/*%
* Serial number update method.
-@@ -915,7 +916,8 @@
+@@ -940,7 +941,8 @@
zone->nodes = 100;
zone->privatetype = (dns_rdatatype_t)0xffffU;
zone->added = ISC_FALSE;
@@ -7525,7 +7428,7 @@ Index: lib/dns/zone.c
ISC_LIST_INIT(zone->forwards);
zone->raw = NULL;
zone->secure = NULL;
-@@ -1019,6 +1021,13 @@
+@@ -1043,6 +1045,13 @@
zone_detachdb(zone);
if (zone->acache != NULL)
dns_acache_detach(&zone->acache);
@@ -7539,7 +7442,7 @@ Index: lib/dns/zone.c
zone_freedbargs(zone);
RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
== ISC_R_SUCCESS);
-@@ -1511,7 +1520,9 @@
+@@ -1535,7 +1544,9 @@
* Set the response policy index and information for a zone.
*/
isc_result_t
@@ -7550,7 +7453,7 @@ Index: lib/dns/zone.c
/*
* Only RBTDB zones can be used for response policy zones,
* because only they have the code to load the create the summary data.
-@@ -1522,26 +1533,37 @@
+@@ -1546,26 +1557,37 @@
strcmp(zone->db_argv[0], "rbt64") != 0)
return (ISC_R_NOTIMPLEMENTED);
@@ -7598,7 +7501,7 @@ Index: lib/dns/zone.c
}
static isc_result_t
-@@ -1997,9 +2019,7 @@
+@@ -2025,9 +2047,7 @@
isc_result_t tresult;
unsigned int options;
@@ -7609,7 +7512,7 @@ Index: lib/dns/zone.c
options = get_master_options(zone);
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
options |= DNS_MASTER_MANYERRORS;
-@@ -4177,6 +4197,11 @@
+@@ -4210,6 +4230,11 @@
if (result != ISC_R_SUCCESS)
goto cleanup;
} else {
@@ -7621,9 +7524,9 @@ Index: lib/dns/zone.c
zone_attachdb(zone, db);
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
DNS_ZONE_SETFLAG(zone,
-@@ -13142,6 +13167,12 @@
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(LOCKED_ZONE(zone));
+@@ -13455,6 +13480,12 @@
+ if (inline_raw(zone))
+ REQUIRE(LOCKED_ZONE(zone->secure));
+#ifdef BIND9
+ result = dns_db_rpz_ready(db);
@@ -7634,10 +7537,9 @@ Index: lib/dns/zone.c
result = zone_get_from_db(zone, db, &nscount, &soacount,
NULL, NULL, NULL, NULL, NULL, NULL);
if (result == ISC_R_SUCCESS) {
-Index: lib/isccfg/namedconf.c
-===================================================================
---- lib/isccfg/namedconf.c.orig 2013-12-20 01:28:28.000000000 +0100
-+++ lib/isccfg/namedconf.c 2014-01-21 17:56:13.534661723 +0100
+diff -r -u lib/isccfg/namedconf.c-orig lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/isccfg/namedconf.c 2004-01-01 00:00:00.000000000 +0000
@@ -1054,11 +1054,12 @@
/*%
@@ -7685,15 +7587,15 @@ Index: lib/isccfg/namedconf.c
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz = {
-Index: version
-===================================================================
---- version.orig 2013-12-20 01:28:28.000000000 +0100
-+++ version 2014-01-21 17:56:13.534661723 +0100
-@@ -7,6 +7,6 @@
+diff -r -u version-orig version
+--- version-orig 2004-01-01 00:00:00.000000000 +0000
++++ version 2004-01-01 00:00:00.000000000 +0000
+@@ -7,7 +7,7 @@
DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=9
--PATCHVER=4
-+PATCHVER=4-rpz2.13269.14
+-PATCHVER=5
++PATCHVER=5-rpz2+rl.14038.05
RELEASETYPE=-P
- RELEASEVER=2
+ RELEASEVER=1
+ EXTENSIONS=